IETF Logo Mail Archive

Re: [stir] Review of: draft-ietf-stir-rfc4474bis-10

"Gorman, Pierce A [CTO]" <Pierce.Gorman@sprint.com> Wed, 17 August 2016 21:57 UTC

Return-Path: <Pierce.Gorman@sprint.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 634C712D67C for <stir@ietfa.amsl.com>; Wed, 17 Aug 2016 14:57:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Level:
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1iFQDa4A0Z_g for <stir@ietfa.amsl.com>; Wed, 17 Aug 2016 14:57:05 -0700 (PDT)
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (mail-by2nam01on0112.outbound.protection.outlook.com [104.47.34.112]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E3E212D7A0 for <stir@ietf.org>; Wed, 17 Aug 2016 14:48:38 -0700 (PDT)
Received: from BL2FFO11FD009.protection.gbl (10.173.160.31) by BL2FFO11HUB025.protection.gbl (10.173.161.49) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.1.567.7; Wed, 17 Aug 2016 21:48:36 +0000
Authentication-Results: spf=pass (sender IP is 144.230.32.82) smtp.mailfrom=sprint.com; bbiw.net; dkim=none (message not signed) header.d=none;bbiw.net; dmarc=bestguesspass action=none header.from=sprint.com;
Received-SPF: Pass (protection.outlook.com: domain of sprint.com designates 144.230.32.82 as permitted sender) receiver=protection.outlook.com; client-ip=144.230.32.82; helo=preapdm3.corp.sprint.com;
Received: from preapdm3.corp.sprint.com (144.230.32.82) by BL2FFO11FD009.mail.protection.outlook.com (10.173.161.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.567.7 via Frontend Transport; Wed, 17 Aug 2016 21:48:36 +0000
Received: from pps.filterd (preapdm3.corp.sprint.com [127.0.0.1]) by preapdm3.corp.sprint.com (8.15.0.59/8.15.0.59) with SMTP id u7HLBZJQ020737; Wed, 17 Aug 2016 17:48:36 -0400
Received: from plswe13m07.ad.sprint.com (plswe13m07.corp.sprint.com [144.229.214.26]) by preapdm3.corp.sprint.com with ESMTP id 24vxsdrhc8-1 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 17 Aug 2016 17:48:36 -0400
Received: from PLSWE13M08.ad.sprint.com (2002:90e5:d61b::90e5:d61b) by PLSWE13M07.ad.sprint.com (2002:90e5:d61a::90e5:d61a) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Wed, 17 Aug 2016 16:48:35 -0500
Received: from PLSWE13M08.ad.sprint.com ([fe80::ac2b:5efb:6c96:db7d]) by PLSWE13M08.ad.sprint.com ([fe80::5db1:e508:58c7:c6ed%24]) with mapi id 15.00.1210.000; Wed, 17 Aug 2016 16:48:35 -0500
From: "Gorman, Pierce A [CTO]" <Pierce.Gorman@sprint.com>
To: Mary Barnes <mary.ietf.barnes@gmail.com>, "Peterson, Jon" <jon.peterson@neustar.biz>
Thread-Topic: [stir] Review of: draft-ietf-stir-rfc4474bis-10
Thread-Index: AQHR+MlawFWovp1VakirtcyY4idXt6BNqBdg
Date: Wed, 17 Aug 2016 21:48:34 +0000
Message-ID: <6bd1e4bc946a4a02a1f4fdac385984b9@PLSWE13M08.ad.sprint.com>
References: <c3a85ffc-8340-ac54-4d8e-21a16fefd032@dcrocker.net> <D3D41210.1A72E4%jon.peterson@neustar.biz> <CAHBDyN7W8zkgGjeUqzGaxLfRD-nFDgD9R3kxioQ47Kbp4_B8EA@mail.gmail.com>
In-Reply-To: <CAHBDyN7W8zkgGjeUqzGaxLfRD-nFDgD9R3kxioQ47Kbp4_B8EA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.214.116.32]
Content-Type: multipart/alternative; boundary="_000_6bd1e4bc946a4a02a1f4fdac385984b9PLSWE13M08adsprintcom_"
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-MS-Office365-Filtering-HT: Tenant
X-Forefront-Antispam-Report: CIP:144.230.32.82; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(7916002)(2980300002)(438002)(24454002)(377454003)(189002)(199003)(2950100001)(106466001)(30436002)(87936001)(2900100001)(54356999)(19300405004)(76176999)(5890100001)(19625215002)(106116001)(92566002)(4546004)(50986999)(68736007)(5640300001)(7846002)(5001770100001)(626004)(2906002)(15975445007)(7736002)(230783001)(97736004)(86362001)(356003)(189998001)(19580395003)(108616004)(7906003)(512874002)(19580405001)(586003)(4326007)(5250100002)(24736003)(3846002)(7696003)(8936002)(33646002)(8676002)(81156014)(16236675004)(81166006)(102836003)(19617315012)(790700001)(84326002)(11100500001)(6116002); DIR:OUT; SFP:1102; SCL:1; SRVR:BL2FFO11HUB025; H:preapdm3.corp.sprint.com; FPR:; SPF:Pass; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; BL2FFO11FD009; 1:HEYr0BcPcbcP27WLyDlPtmhardiuEKaiY46JuMa5gnHx5UJZSSkFOxA+uAI+I9PzNaSgOXT3JtrHupmVmLmslVJQplebc1X0DOqT3L2fCNrPMMsvIG4tX2fVhmjhcmEuWWCYMrWyn6G2SBPHJuM595bU7dAaYVoBndixwWmn7GPTkrFgtVmw9HoUBSpE9mK0N6ZWQeapoDYJx0NZzwegqAEtkryRTSwSFypka40dnmV6NHQesQiACRhv+YmCm+66ZsNlfvQLFwTsUBhQFzSZmO4IJNS4ojwMFSySgTQCJxI1lSqkyre6+5xajU41ml3mblxxZG9N6jN9jMrog9Kkt63sxCRPAJnCVsQhMx1T0GelEBfN3nasPYkhB0r1oWDvsWSa7p3QVGUI2lfrlx9y1TQbRGatreGUDihcejvTsMBnMiMh5lzq6JgI0YkNgnW2PWgsFpt2+cEtc+yqgIjmIYxEFD3UConjpgbWckXJL0SInzp8Vg4JTO417fq5BhqN/Q0gDI6aa9SMB+xgWL6EiObzgVGZBmY3+gx+2g8Dhny6Kn+yE/s5xqNXaoU8W4z7ii8mPXZiYXDTTbRxLEmaOVYUlTA+Zr2lSDCo0l72hdM=
X-MS-Office365-Filtering-Correlation-Id: 302d4473-5ec6-405b-d18a-08d3c6e83e15
X-Microsoft-Exchange-Diagnostics: 1; BL2FFO11HUB025; 2:G0XX31inEgljrzyFKsapMqWGMvxPiurMej5vHxcDgPQjdOPRYBAuqZCxG5K3cbVGcHCPmanDmcElmyZxt5KCZIt/XLGjWp9reov4qdwqKh+dLX2ZdVr1wVSWUk0QWEBfiYH3qEFi18QC5pgGTd83NIt54a+cVLYwCxgWa56WcvAIaEx/iPN+BnF8KM3ucyIU; 3:2Wn+mKrIxUhdoJQDY15kwpMTHq8L7ZdOWH7ww9ow8894Snn+hKXPV30Jxazchq5B/QLXaRRQ27DKVeayTZX2WN6Wh8GhlzC6X+tY3Ueo2ZpOKdZkwQQyCsOOOtSlwTxhdjG42WfH7BWXwQdHARb/kYkJU/gn6nusgaUBuN61S6m1jdPmUScQqJ4yuUyu68n5jEa9sGi2+LlYtg662z/N8b677/1j4t28+MXzPGV94NhDq5zb/2TwnMTXpLlUNzaBjkDcYQdWrN+4XAF4K5M2yA==
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(8251501002); SRVR:BL2FFO11HUB025;
X-Microsoft-Exchange-Diagnostics: 1; BL2FFO11HUB025; 25:mFU4MX4WGo9NMMqqU9ZaCTqJELF21UcVtgyQMewAwOQZKq+1CkS+XbEgs92BSGhrvI8T9gn2UhsIKXFul5eS0s0WouvH4/JXJZ5f2n6zJ2YFZE/VjsfVuQo7vjRolh8sMj7Bdydkn6bQ5aMSqRUSDS8XX3mS8Z9EJ6UmJRENnVm+oeRM4rAFvwjfKNnIiu5HY413CGRLgwtqX2etiQsG7ViK+BluHFlUXte2yse0gc/CAQWh0QbCkcNI4SBf7VJCn5BPrd0ozEqU9j4xx9uAJk4/LVmlyANx1WxrzP5KywEvDBdJfsIM1hI6R2TYmYgKP7NC11wQf+7/r3uTTuRVAwBk1Ed0G9qDtAcrWq9LQyhsOFCzrDgVy5Hyiehm+fYHKKsrVUR0sGULkG1BM8J8fsKaStz8aoq3JYqe9KXIp131YbPHnFY9DQ0UysKKGAa6Mok0o62kwXYGgdVmKv0iUtVyTS65KKa7NghD3iAj1iZLdYFrkwwoIXRExKEAoa3CNth5BHT32tEemUmQoMEvS9OyWIrTxZxDGQ5S+8bNSv7QEnTnNsQRBn91ZBzZA5eJaGzkJ9+Eg7xckNKO5Q0EjqTuWFGPxFGVXGMAepyXEU592J93+xdND01VYcWR+5X1fERqLtxkNBDV37okdZHKUxQyc49rR/2Z34IMVwUlQT8WhfvTj2XAWlxKSybHhCH8qr6hCEyViumtLlsmnw5S3QTN+LYzIFkI0Zofmvz08Hi1ZbZ3sjZ1/DpMJnCJmusYBekJIoT2YqVuriTi4pCG8XCqjNC2SMvX/8GfcYe1+G7PduZL/DmkLkZTcnVZcVMyZgZQh4vWcoDdnbVtmkBiCFz+D/ragUBVTpKmrXtjzpLXzXzBpW+b4MRwUk6xl2VHLsRZPLxo09lxP0OYXYnd+n52otnQ9xiKu2AeeYsBDX5h7bX1HBoFyCWvs7jzuyqM1Oe9rzXzSfPTswcwqOl09wZfOcV6znjTR13YMuUzpWX4X0TopnKXcx3S6flmX8z+IzacZBlYRyxyowE4qPPFl35aRbtgKKlkDP32oNyKkCWWcVN43ENiHDMuEztz+f0itTltx8t/LLGiRP8yboiV5Q==
X-Microsoft-Exchange-Diagnostics: 1; BL2FFO11HUB025; 31:AYfpDJQ7JgmlNoiGZAAizs5bqxwtEEOtUT8w13XLudfdK2mBXntL/RSak0nhP0XjMA5OdCTnIsrYm2ohPDyHE9EDNNNatOpIzmkSYECkDZ8Rjjmo5oWqml6WUq7tdanPbqTuCWHdbQldfRU1RUwXhuqzzWfjUCcdKe3I4QrLnBmWchV+swT+3nUmDCrdWYGBy36RfwrZu+/uaJir2i7rNF5Ogw01BZ4lMxC7eJnRb7c=; 20:9n/xWkxnQFmCCDlRDqoFTvr0C0VYIOGx4iAL2sZW1w2XL+kxPAz7zx73Zm19N3U3DOSDPtLpGF2fmtyqsy4RiTnFACQcuc9Tpk+/Hs7W2e/ELrk+TiDeSgdlx13zw5RrPratpdHo0PXNUSpY5Ljo082eX2lfP2zwQ/fGYy/6Cgy6WhmGAwMBAgJU8WGD2oIPs7h2twI+2Elp0mHlzBXegeAFZSLsvhGgvduYk+iW2XQrEJG+HrBD0BLmN5n1iBn4/GjWVwm8QOe46L877P71sOjMPTKBCAaHR8bEsua0rq9Tg8Heql/DETRQJIuHRYJWUA6Yd1X9IR1rk6Xe315HC+twLLQRvzYThx7s8rQbBllRS19j3q3zceXTXc+aI/tl97tlrsmZ7Ki8Gx5utymoKwBnAKj/EMGQf/5xDe4K4SQ=
X-Microsoft-Antispam-PRVS: <BL2FFO11HUB02531D3300AC85EBB4D763289140@BL2FFO11HUB025.protection.gbl>
X-Exchange-Antispam-Report-Test: UriScan:(278428928389397)(21748063052155);
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040176)(601004)(2401047)(8121501046)(5005006)(13018025)(13015025)(13023025)(13017025)(13024025)(3002001)(10201501046)(6055026); SRVR:BL2FFO11HUB025; BCL:0; PCL:0; RULEID:; SRVR:BL2FFO11HUB025;
X-Microsoft-Exchange-Diagnostics: 1; BL2FFO11HUB025; 4:qiQWFnkGRzxJhl4m820i3b8UqTETwZadIX9AaAf7CjfbmQ7sxnEfzKdHO2p1NbcUxqw05LuRbPzam41H9xJovwaOr1ZrY+yV2GKQ8p6CL/nk3CbPyjhzPjQOy29zcZ+2S5NMeopvQFGkdQ+orp+09sSTleNxx8NE4RtqQciKIh7CKwz7QWNgP5HODWaPiwxy19PTT4bX5//dnct/TnKslIfpRC25XRqWHmu1pDjh4NiBBmNYurQ6Jonc4V6GYqPYNKBJknD75i5oLI0v4OCBztoLDnbrhOA8aPhhcf2ePPAarD6Vn+07bQFURyqkr3x5kLQJmNmBbnFGJBKydRg9dAAqZflvUb5Onn5H8PM3FWoDQTVJkktQRFTaBF8eBEB1/PDgRXCAtArof8FLFiUR3E154S/194lFQKbZLnrw7SspWW1WCeT5K+rcX/fO9hWALF7tJhrd7HI2v5Rz+j27sB4BvbMMNrl7oUZ83MPjItgHOBNzM4n++Ta6l0D3+Su8j00bcjs3wbb1M2hXg9KXUzprcL1cHV9n6AX8ZPxrScpszIHSM1z2VCjtMWiLm2nuOqXKXsJLTheojWVMNWwe5w==
X-Forefront-PRVS: 0037FD6480
X-Microsoft-Exchange-Diagnostics: 1; BL2FFO11HUB025; 23:6V0ugsEKw+7puU6ITx8Ljq4hx+vaZqy9xRPFX1FQsrJP0TA7Z6ZnnARzaYrDLj0EmojAldVii8oXgc31ypfjXfW8UjBs4hL47yU73rP+DtVCU+6/pnRfCiUc1n1WniED5+KF1srx/1LTfawJdM5H4s07/wJ9gYIqXulPLTxrI4T2IB/Oxm1X6GR+k04sJKAkDYmsogTfPCA8vibtMFGK4em/XmO/oykYi5KXmj2I5p4mdBx1nhRwIdGATcZociEZE3jE5LHNMouRLB24a5AwW0D+C9eY997d63sbwKyK3CAD/x/1i3MdEgCulLsXtOMtsA/w7JTiN9npNRNsllqdTPpq9smw2xiHIiqCOoyFM578Qioz58xD7kUVAP2bqfqfP2Y9fLMlq3in9v6Kfq54xTtCmMrDyn+8xo9o2KuJdJ00RNP1pfH7DRHXxiivVR3xVWC3hOAbn9KHNGXWy4a5nV4osFDTkSJxuyS5PWNyUy5RS11M6/W2s8ZtdmSDT83ZtRZiSmu9W2sWaFPa1US5qAH1daf4vrS/GP/IBllujGV/isxhlqr9GOJA5AhGJC2/11GVIfEbql0zsoZEc0nwFQtqH7rrh3IFQPsAUba6vZyekJOGfYSuG2hpS4xucUXe20LPelzjGXgGpOlGs0McUBL74W+SmechI7NCGScvRxogA1+9EiBBpd1BQtRq6unQovr9YCcTSA2aUa2w+W85Z97Q8mJl0Jjfa0bXzfcCq7yabjoRwOgNgWaM1mM46vAktRjSoaIWSWt5GLr1qm9VjlmUw2SE+A6ytNklR8z2rxOzO+OydsAGIuJxopLwHaNyXvH/ormEwWSeH66IMdtZHhagaGcCTC8Xq2nXrwH603XTU9z67Nc7rqxdIGCaLV5Tpbm/n+jOg2VDZJGuwbRY0x8kWKET8LegfDP0HlJz4KuOnkF2y6v6nH3KLwrZtTAPd0EKX336C7GzJa1ZBrOOtOsCS/1wPY4TNBmSVgAQjmL+HY5xnLPFVVGX0DGKPSgd+g5OaQW+XZYyZnhk7klhFd5RW3MAIX3DhlNnoN+oRxGGWn4sCvL8E3pQang6zKYQwCsY6V2bi1QFpLKXdYAd8frFdjcJVCgQK59ceJKafHzWr9sTkZMUMNaCwTruOlgagsMPweYJq9tSDZNs+9+TV/EEcKPMfpjJUZI1sg6v5S2HtoeEMkE4GaU/E8Fj4a7tIrLeQ4x6LjNbq3pKh37mabFX/h8qgvB7XtpR9XhdJZYgx+uw9Vqt8FEllY2D3uwmbyfCvlhROutldo8otTzeGh2hXenltFBxClatvNfv/6ltMmOtw4dXj+onVeKCBDT7Besc8iq3vgvIWKQCwJyTla7vCq5p05teNArvLovQtzk1a9UujslwaK4H8HyDNvV20UkF1cgXvP0AC+hVOnHNUg==
X-Microsoft-Exchange-Diagnostics: 1; BL2FFO11HUB025; 6:nZLjD0XuUM9ylolWr68d1sOFuB8NVhnPAJJ70Gx/NT75LSsobV83GtoJ6E2RD6qY3J+wl2pMIo9PRcE139ruvLDKVvqu2EhWhvEozToGP1KnmyKsdjQhOd1jzhbEK7K7AHKpC12Rcg5PTn0+lCV5HJYl9Z7Kh/lsxv1SEvEaxgnOw75B9eTV7ledpWW0ez/Ha4odClHFHxheaW3VgxTo4dU3ruVXJF8aBmi/R/m38elhKkGinwLeRUl7y1Mq5wTDtWv91xBouxQ3J78vatEV3/F5cA/D4cbsi2Cb5Td0DK+MvxAChTApNAgwwnFRLWgRKyQP39mRE1CcdSfUw5VDSw==; 5:qHvi1gAsMiqNKc+eMtfmBQB5ogYT4NYMnUWGrHkHhhrL+qpGJ1Urz2dw+BiI9SIuO0xhjx7jS/ywdDcoNQtYpGWH7/mPJzlB2CBi8p5EkM0QpV3JCrVIbqLNvk7BkPcC5KAhBM4F/6M/65qpYR12PA==; 24:kN3j960mpZD17kIGBugU5IjOziHy0jIA7yqP9ugxkJeKs+5oBVQPXrJ96ltfJP2sTHDs11EIkhsqFubDz2Limi6cobOeTtYrb+6HEYfSezc=; 7:J58KXpAhiR39rC2kdQqOouhHyGPu4kpSqqoEpvfkzs1PCH5u7hIsTYcOhrTVfYy+PLLIwnDaZsNm44YEIXiBCUAJoU3qgdIQyO3A/4GIlu0ofYeWY6bFD8YAjjIYEN34yypOhNWLvYi57stDfSl2rrIAyLAGOh7P1kRKsKyViUAZo/rervg0S8jXZNn8FO9xSoWKLkxvQmGzp1USHT+Drt0kOAqPDYzPoIwJa9v7KyFndV/wyZN8QTmipLA2fsIH
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: sprint.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Aug 2016 21:48:36.4921 (UTC)
X-MS-Exchange-CrossTenant-Id: 4f8bc0ac-bd78-4bf5-b55f-1b31301d9adf
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=4f8bc0ac-bd78-4bf5-b55f-1b31301d9adf; Ip=[144.230.32.82]; Helo=[preapdm3.corp.sprint.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL2FFO11HUB025
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/6y7x4S3iOY_wzEGsTc80pLajn0U>
Cc: "stir@ietf.org" <stir@ietf.org>, "dcrocker@bbiw.net" <dcrocker@bbiw.net>
Subject: Re: [stir] Review of: draft-ietf-stir-rfc4474bis-10
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Aug 2016 21:57:08 -0000

Sorry.  Not responding to Mary’s excellent comments. I didn’t see Jon’s e-mail and don’t want to go look for it, so I’m replying to Jon’s e-mail that Mary was responding to.  (smiley emoticon)

In reading Mary’s remarks I saw that Jon said, “[Dave] pointed out that we really don't have any motivation for including multiple Identity headers in there, and we probably do need an indication of what future work might use that feature.”

It has occurred to me before that multiple signatures might be handy.  Intentionally and illegtimately authenticating spoofed calling numbers is possible.  A proxy which had information about an untrustworthy source might like to add a signature which in effect says, “you can trust the call came from the originator owning the certificate, but you cannot trust that the cert owner used it legitimately”.  It would be a way to preserve the originating authentication information which is useful, but deprecating it too.

I suppose there could be History-Info sorts of applications too.

Pierce

From: Mary Barnes [mailto:mary.ietf.barnes@gmail.com]
Sent: August 17, 2016 2:04 PM
To: Peterson, Jon <jon.peterson@neustar.biz>
Cc: stir@ietf.org; dcrocker@bbiw.net
Subject: Re: [stir] Review of: draft-ietf-stir-rfc4474bis-10

Jon,

Thanks for responding to Dave's comments - I found that quite helpful.  I have some comments/responses below [MB].  As a caveat to my responses, I did not read all the details in Dave's review.

Regards,
Mary.

On Sat, Aug 13, 2016 at 2:40 AM, Peterson, Jon <jon.peterson@neustar.biz<mailto:jon.peterson@neustar.biz>> wrote:

I finally had a chance to go through these comments, and I did want to
provide a few responses on Dave's review of rfc4474bis here.

>Taken on its own and also when taken with its companion documents, the
>specifications are confusing and incomplete.  It is quite far from being
>ready for publication.

Having looked through Dave's specific concerns, I don't think he makes his
case for this criticism.

>Terminology is used inconsistently. It often is introduced with no
>background or citation.  Many uses of 'header' are probably supposed to
>be 'header field'.  My sense is that quite a bit of terminology is used
>equally loosely.

I think the use of terminology in the specification has proper background
and citations. Certainly Dave is correct that the text is pretty lax with
"header" vs. "header field" vs. "header field value," no denying that. If
people think this is a big deal, I will fix it. But the suggestion that
because this is true, terminology is loosely used to a point where it
would hamper implementation, that I think his comments don't really
substantiate.

[MB] As pendantic as it might seem, in my experience, the expectation is that we are precise with terminology in the specs, so that qualifying 'header' as 'header field' and 'parameter' as 'header field parameter' is a reasonable expectation. I've had to do that with the RFCs that I've authored and in re-reading this document recently, I think it adds to the readability/understanding in particular since the ABNF comes later. [/MB]


>There is no integrative architectural description, so the reader has
>difficulty understanding what all of the pieces are or how they fit
>together.  In fact is appears that the document itself gets confused on
>this matter.

I'm not sure what an "integrative architectural description" would entail,
but there are a number of sections that provide overviews of operations
and related examples of how the architectural piece come together. I don't
think anything in the review comments genuinely substantiates that the
document itself is confused about its own architecture.

>Algorithms are all offered only as prose and often in a form mitigating
>comprehension, such as tending towards negation or disjunction, which
>humans process less well than affirmatives and conjunctions. From what I
>can tell, the algorithms often are incomplete, but serious analysis is
>difficult.

Algorithms are offered in steps with normative language, if that's what
you mean by "prose form". RFCs are typically composed of prose. The review
does reveal some very striking views about specmanship and algorithms in
particular which are foreign to my experience in the IETF.

>The documents appear to rely on a reader's having quite a bit of prior
>knowledge and are certainly not usable by an implementer who is not
>already deeply embedded in the community that produced these
>specifications.  My impression is that being embedded won't suffice
>either, both from my assessment of the documents' deficiencies and given
>back-channel comments I have heard about the expectation of the work to
>be done after these specifications are published.

We do expect basic SIP literacy, and a willingness to follow references
and read external specifications and sections that are cited. Readers that
are unwilling to do this will probably find a lot of things confusing in
there.
[MB]  I think the challenge is that 'basic SIP literacy' isn't such a basic thing anymore and it does require *a lot* of background to parse this document, but I don't know a way around that. [/MB]

>Overall, the writing impedes comprehension and the document needs a very
>diligent pass by a technical editor.  I suspect this will uncover quite
>a number of semantic deficiencies in the text.

You did catch some good typos, and I caught a few more following your
notes through the text. I'm not sure that yielded the semantic
difficulties you speculate about here though.

>There is a possible tendency to support more alternative behavior than
>appropriate. Successful interoperability usually benefits from fewer
>choices, not more.  Common, mandatory canonicalization is an example.

Common, mandatory canonicalization of telephone numbers is unfortunately
only slightly more reliable than common, mandatory normalization of
internationalized domain names. At least it's just numbers. The algorithm
we have is good enough to cover the common operational case, and where it
fails, hopefully "canon" will help to close the gap.

>Credentials: the specification neither defines nor references a standard
>for the specification of credentials, here.  That means that the
>technical details -- as distinct from the operational policies -- of
>credentials are out of scope, although they are fundamental to proper
>operation of this serve.  This is a showstopper, in terms of
>specification completeness for the service.

Well, it does reference a standard for the specification of credentials:
stir-certs. I agree it would be a showstopper if we didn't have the
stir-certs work.

>How is the recipient to know what credential 'standard' is used?  How
>does this ensure interoperability between two participants who have not
>interacted before?

There is in practice only one at the moment. I'm content to worry about
interop problems when we have another one.

>At base, these specifications appear intended to roughly chart out a
>system structure, leaving most of the difficult work for later and
>elsewhere.  By way of example, there are few if any cross-organization
>key management services on the Internet that demonstrate the utility
>needed here.  I am pretty sure that Web certs don't qualify.  We know
>that DKIM's operation does, of course.  However DKIM strictly uses
>domain names as identifiers and they conveniently align with their
>administrative authorities, whereas telephone numbers do not...

I'd say that, by design, rfc4474bis is pretty tightly confined to
specifying the SIP over-the-wire protocol behavior. It takes a lot of spec
just to do that.

And your praise of DKIM as a model is once again noted. I would respond
again that we are unlikely to abandon our years of work on this mechanism
and switch to DKIM at this point, no matter how many comments you place in
our path.

>      [[[ The mailing list just had an extensive regurgitation of
>critical commentary about ENUM.  What appears to be getting missed is
>that whatever mechanism is going to be used for finding and validating
>keys is going to have no operational history of reliability, safety or
>efficacy. ]]]

HTTP has none of those qualities, apparently.

>There is remarkably little of the original RFC 4474 substance still in
>this document.  Calling it a bis is a bit like tearing all of a building
>except its fireplace or its front door and calling that a remodeling.
>The previous document does not have an installed base, so I strongly
>suggest removing all references to it.  It will allow some of the text
>to be notably simpler and clearer.

I think enough of the concepts and protocol mechanisms of the original are
retained to warrant keeping this as a bis.

[MB] I'm not sure on this one, in particular given that it deprecates the header fields defined in RFC 4474 (per section 8).  And, unlike other -bis specs there is no summary section in this document of the differences between the two.  Also, currently this draft doesn't indicate what impact it has on 4474 in the header page. There is the sentence at the end of section 1 stating that this document "revises RFC 4474" but that's not particularly meaningful. Given that when we produced RFC 7044, we obsoleted RFC 4244 despite RFC 7044 being backwards compatible with RFC 4244, I really think that this draft should be documented as obsoleting RFC 4474. [/MB]

>The document is heavy with forward references.  These force the reader
>to stop what they are in the middle of, try to hold that place, and look
>forward to understand what they've just been interrupted from reading.
>As a literary style, forward references create useful tension.  In
>specifications they just interrupt the flow.  The document should be
>reorganization so that integrative text comes /after/ the text
>describing the pieces being integrated.  And opening overview, design
>summary, or the like can give a non-normative description of the
>architecture and the service, so the reader has a basic sense of the big
>picture, before diving into the detail of those to-be-integrated pieces.


Dave does make a number of organizational suggestions about the spec. The
spec has an overview, a design summary, before it gets down to specifying
things. The virtue of the "integrative" approach he describes is however
unclear to me. I think whether you define the auth service behavior first
or define the header syntax first, one of those sections is going to end
up pointing to the other. There wasn't much in his reorg suggestions that
seemed to me like a substantial improvement.
[MB] As another RFC 4244 example, we did find that moving the syntax early in the document in RFC 7044 made it more readable.  From a developer's perspective, I think it's helpful to have the syntax in mind as one reads all the details of the processing.[/MB]

Overall, there are a handful of changes (beyond the typos, which again are
appreciated) I'd make based on the substance of Dave's review. Some of the
suggestions to rename sections seem harmless to me. Like some other people
who come to mind, he would like to see some more precise specification and
examples of how you break off the signature from JWT. He pointed out that
we really don't have any motivation for including multiple Identity
headers in there, and we probably do need an indication of what future
work might use that feature.
[MB] I would 3rd the need for examples.  That has been a usual practice for other RFCs defining new SIP header fields (and header field parameters). [/MB]

In terms of topics for discussion that might warrant the attention of the
working group, he did suggest we need to be sure we think the scope of the
signature is correct, and that we have enough confidence that
intermediaries won't break it, and that when it is broken, the verifier
behavior makes sense. I think we've focused a lot of attention on those
questions, but I'm happy to talk more about that if people think there's
room for improvement.

Also, he suggests that we might need a better pointer than RFC3986 Section
6.2.2 for URI normalization procedures. If anyone (including Dave!) knows
of one, I'd be happy to cite it instead.

Otherwise, I think we've got this covered. Anyone who's interested in
further details can see the attached.

Jon Peterson
Neustar, Inc.


_______________________________________________
stir mailing list
stir@ietf.org<mailto:stir@ietf.org>
https://www.ietf.org/mailman/listinfo/stir


________________________________

This e-mail may contain Sprint proprietary information intended for the sole use of the recipient(s). Any use by others is prohibited. If you are not the intended recipient, please contact the sender and delete all copies of the message.

v2.23.0 | Report a Bug | By Email